Almost 20 percent of the Internet was brought to its knees Saturday when a fast-spreading computer worm attacked the main pillars of the information superhighway. Security experts are already calling the attack the worst the Internet has suffered in almost two years, when a similar worm called Code Red wrecked havoc. This time, the worm--dubbed "SQL Slammer" and "Sapphire"--targeted servers running Microsoft SQL Server 2000 and 7.0, though Microsoft first supplied a fix that would have prevented this problem last July, and released a Service Pack 3 (SP3) update for SQL 2000 with the fix included just last week. As is usually the case with such outages, human error--in the form of inadequately updated servers--is at fault.
"Microsoft is currently investigating a virus that appears to affect versions of SQL Server 2000 that are not up to date with service packs," the company wrote in a statement on its Web site this weekend. "The attack has resulted in widespread Internet availability issues. At this time, we highly recommend that all of our customers running SQL Server 2000 update their servers immediately to SP3."
As of Saturday evening, almost 200,000 servers were compromised by the worm. But experts I spoke with at DataPipe, a New York-based hosting company, said that the worm is relatively benign, replicating itself and presenting a Denial of Service (DoS) attack. "It's not malicious code, so it doesn't delete or pass customer data along to other servers," said Brian Laird, Senior Application Developer at DataPipe. "Unfortunately, Microsoft has issued several cumulative security patches for SQL Server since the original patch was issued in July. Had administrators installed any of these patches, this worm would have been prevented from spreading."
Many network administrators, including those at DataPipe, were able to block SQL network traffic and help prevent the spread of the worm and ease network congestion. Others weren't so lucky. DellHost, Interland and other hosting companies were brought completely to their knees, as were many of UUNet's core routers. Worldwide, the worm caused damage in a variety of locations, including South Korea's largest Web access provider, KT Corp, which was taken completely offline Saturday.
Investigators at the FBI's US National Infrastructure Protection Center are looking into the problem, but haven't yet figured out where the attack originated. By Saturday evening, Internet traffic had reached normal levels, however, as network administrators shored up their SQL Server boxes.
For Microsoft's response, and to download SQL Server 2003 SP3, please visit the Microsoft Web site.
